DOCUMENT 



RESUME 



EA 002 218 



ED 029 379 

Fault Tree Analysis: A Research Tool for Educational Planning. Technical Report No. 1. 

Alameda County School Dept. PACE Center, Hayward Calif. 

Spons Agency- Office of Education (DHEW). Washington. D.C. Bureau of Elementary and Secondary Education. 

Report No-ESEA Title 3 

Pub Date Oct 66 

Grant-OEG-4-6-001646-0904 

Note-97p.: Technical Report No. 1 

EDRS Price MF-S0.50 HC Not Available from EDRS. 

Descriptors- Aerospace Industry. •Critical Path Method •Educational Planning. •Educational Research. 
Models. •Operations Research. Program Evaluation. Resource Allocations. ^Systems Analysis. Systems 
Approach. Systems Development 

Identifiers- • Fault Tree Analysis. PACE. Projects to Advance Creativity in Education 

This ESEA Title III report describes fault tree analysis and assesses Its 
applicability to education. Fault tree analysis is an operations research tool which Is 
designed to increase the probability of success In any system by analyzing the most 
likely modes of failure that could occur. A graphic portrayal, which has the form or a 
tree, is constructed by a series of logical steps, showing at each stage precisely how 
a given failure can occur. Mathematical formulas based on the probability of 
occurrence of individual events are applied to determine the critical path leading to 
the top undesired event. Among the many advantages of this technique Is Its 
usefulness as a device for evaluation of processes as opposed to the more common 
evaluation of products. The document includes a history of fault tree analysis, 
principles of fault tree construction, a prototype fault tree with analysis, and 
evaluation of fault tree analysis as an educational research and planning technique. 
Although many technical problems are yet to be solved, fault tree analysis holds much 
promise for application to education. [Not available in hard copy due to marginal 
liability of original document.] (TT) 



EDO 



O' 

IV. 

K\ 

O' 

r\j 




7 ' n L& 



U.S. DEPARTMENT OF HEALTH, EDUCATION & WELFARE 
OFFICE OF EDUCATION 



THIS DOCUMENT HAS BEEN REPRODUCED EXACTLY AS RECEIVED FROM THE 
PERSON OR ORGANIZATION ORIGINATING IT. POINTS OF VIEW OR OPINIONS 
STATED DO NOT NECESSARILY REPRESENT OFFICIAL OFFICE OF EDUCATION 
POSITION OR POLICY. 

FAULT TREE ANALYSIS: 



A Research Tool for Educational Planning 
Technical Report No. I 



Including a prototype fault tree applied to the general problem, 

"Preparation for the world of work” 



Alameda County School Department PACE Center 
225 West Winton Avenue 
Hayward, California 94544 



(The development of this report was a service of the Alameda County 
School Department PACE Center, established by a grant from the 
U. S. Department of Health, Education, and Welfare, Under Title III 
of the Elementary and Secondary Education Act of 1965 (P.L. 89-10) 
Grant No. 0EG-4-6-001646-0904.) 



October 1968 



ROCK LaFLECHE 

Superintendent of Schools of Alemede County 
224 WEST WINTON AVENUE 
HAYWARD, CALIFORNIA 94544 



Developed by 



"PERMISSION TO REPRODUCE THIS 
COPYRIGHTED MATERIAL HAS BEEN GRANTED 
BY George F. Wilkinson, Dir* 
Al amecET County paus center 

TO ERIC AND ORGANIZATIONS OPERATING 
UNDER AGREEMENTS WITH THE U.S. OFFICE OF 
EDUCATION. FURTHER REPRODUCTION OUTSIDE 
THE ERIC SYSTEM REQUIRES PERMISSION OF 
THE COPYRIGHT OWNER." 



The technique described in this report is undergoing further 
development . In order to be of maximum benefit, the materials 
herein should not be reproduced without prior consultation 
with the Alameda County School Department PACE Center . 



Alameda County School Department PACE Center 

Professional Staff 



Mr. George F. Wilkinson, Director 

Mr. Jesse Perry, Assistant Director for Urban- Suburban 

planning and Coordination 
Mrs. Irene Sisler, Information Specialist 

Dr. Belle Ruth Witkin, Research and Evaluation Specialist 



Executive Council 



Dr. Higgins Bailey, Superintendent 
Emery Unified School District 

Dr. Peter Bancroft, Superintendent 
Livermore Unified School District 

Mr. Anthony Biggs, Director of Community Services 
Oakland Tribune 

Dr. Reed L. Buffington, Superintendent 
South County Junior College District 

Dr. Eugene Clark, Director of Placement Services 
California State College at Hayward 

Monsignor Pearse Donovan, Superintendent of Schools 
Diocese of Oakland 

Dr. James Guthrie, Acting Assistant Professor 
University of California 

Mrs. Lorna Jones, Community Representative 

Mr. Rock La Fleche, Superintendent of Schools 
Alameda County School Department 

Dr. Thomas A. MacCalla, Assistant Superintendent 
for Special Urban Educational Services 
Oakland Unified School District 

Mr. John I. MacGregor, Superintendent 
Newark Unified School District 

Mr. Irving Miller 
Dura Business Machines 

Mr. Arthur O'Leary, Headmaster 
Anna Head School 

Mrs. Mary Rodrigues 

Alameda County School Boards Association 

Dr. Roger Schulte, Assistant Superintendent 

Curricular Services 

Alameda County School Department 

Dr. Wayne Sorenson, Administrative Assistant 
for Educational Research and Development 
Hayward Unified School District 





PREFACE 



The development of the prototype fault tree displayed 
in this report grew out of an extensive assessment of needs 
in Alameda County related to preparation of youth for the 
world of work, and the concomitant need for an adequate 
tool for administrative decisions regarding long-range 
planning and resource allocation . It is presented here 
in the hope that it will stimulate creative new approaches 
to educational problems . 

Technical development of the tree and the preparation 
of this report were done by Belle Ruth Within, Research and 
Evaluation Specialist for the RACE Center, under the general 
direction of George F . Wilkinson, Center Director . 

Special acknowledgment is given to Kent Stephens, 

Director of Business Services, Seattle Public Schools, who 
was the principal technical consultant ; David Haasl of the 
Institute of Systems Science; Jon Stephens and Robert Schroeder 
of the Boeing Company; and Marvin Lamoureux, part-time research 
assistant for the ,Center . 

Also, special appreciation is extended to the many others 
who assisted with the construction of the tree by describing 
possible failure elements and providing critiques for the tree . 
Their encouragement and help were invaluable and their sugges- 
tions are incorporated in the final version of the tree . 




TABLE OF CONTENTS 



Page 




i 





n 



n 



i 








i 




TITLE PAGE 
PREFACE 



1.0 INTRODUCTION I 

1. 1 Definition I 

1.2 Applicability to education 2 

1.3 Scope and purpose 3 

2.0 HISTORY 5 

3.0 PRINCIPLES OF FAULT TREE CONSTRUCTION 9 

3.1 Definitions 9 

3.2 General steps 9 

3.2.1 Analysis of the system 10 

3.2.2 Identification of subsystems and elements II 

3.2.3 Bounding the system 12 

3.2.4 Problem area identification 12 

3.2.5 Identification and classification of 

undesired events 13 

3.2.6 Selection of the undesired event for 

the top of the tree 15 

3.2.7 Construction of the tree 16 

3.2.8 Validating the tree 21 

3.2.9 Determining the critical path(s) 22 

3.2.10 Submission to decision-maker (s) 22 

3.3 Using the analysis 23 

4.0 A PROTOTYPE FAULT TREE 24 

4.1 Choice of problem 24 

4.2 Analysis of the systems, bounds and constraints 26 

4.3 Selecting the critical undesired event 27 

4.4 Scoping the tree 28 

4.5 Determining the failure modes 32 

5.0 ANALYSIS OF THE PROTOTYPE TREE 33 

5.1 Reading the tree 33 

5.2 Major findings 34 

5.3 Some implications 39 

5.4 Summary 41 

6.0 EVALUATION OF FAULT TREE ANALYSIS AS AN EDUCATIONAL 

RESEARCH AND PLANNING TECHNIQUE 42 

6.1 Use of expertise 42 

6.2 Evaluation of program 43 

6.3 Design completeness 43 

6.4 Resource allocation 45 







APPENDIX -- A prototype fault tree 




1.0 INTRODUCTION 



I 

I 

1 



I 

I 

i 



1 . 1 Definition 

Fault tree analysis is an operations research tool which has been 
used with signal success as the principal analytical tool of 
system safety engineering on aerospace projects. The prototype 
displayed in this document is the first full scale application 
to an educational problem. 

Fault tree analysis is a technique for increasing the probability 
of success in any system by analyzing the most likely modes of 
failure that could occur. The fault tree was so named because 
the completed graphic portrayal of a functional system has uti- 
lized a branching process analogous to the development of a tree. 
The undesired event is located at the apex, and the various con- 
tributing events are the branches that extend outward and down. 

A fault tree, also called an "event logic network," provides a 
concise and logical step by step description of the various 
combinations of possible occurrences within a system which can 
result in a pre-defined "undesired event." It is a diagram which 
traces systematically the probable modes of failure leading to 
the undesired event, the interactions among these modes, and the 
critical paths. 

The process of cause and effect analysis starts with the state- 
ment of a critical undesired event which one wants to prevent 










1.1 



Definition 



happening. The fault tree is then constructed by a series of 
logical steps, showing at each stage precisely how a given 
failure* event can occur. When the tree is finished, mathematical 
formulas based on the probability of occurrence of individual 
events are applied to determine the critical path leading to the 
top undesired event. On large trees, the data are fed into a 
computer for simulation and quantification. 

1.2 Applicability to education 

Fault tree analysis has the following advantages for educational 
planners: (1) It forces the asking of those questions which 

identify the things that retard attainment of objectives or, 
worse, result in absolute failure to reach them. (2) The 
completed tree makes it possible for expert judgment to be brought 
to bear on one portion of a problem at a time, and, perhaps most 
important, shows the interrelationship of all elemeni s in the 
program in a systematic way providing information to teachers, 
principals, superintendents or school boards, of a type and in a 
form which will provide a rational basis for decision-making. 

(3) Since a good tree has predictive value, it permits redesign 
of new programs or the building in of safeguards before the program 
is put into operation. (4) It can also provide continuing 
evaluation of a program in operation, thus signaling the need for 
correction to prevent failure. (5) Its greatest value lies 
in its use as a planning and design technique. When properly 



*By ’’failure” is meant the inability of a system or portion of a 
system to perform its expected function (s) . 



- 2 - 



1.2 Applicability to education 

implemented, it can assist instructional planners and educational 
researchers to discover the most probable weaknesses in a plan, 
and thus provide data for decisions regarding the allocation of 
resources for the improvement of the system. Most evaluations 
of new programs are concerned mainly with the ’’products” of a 
change. Fault tree analysis also provides for ’’process” 
evaluation, and is thus particularly applicable to field studies. 

Further advantages are: 

a. The analysis is valuable for putting all pieces of a problem 
together into a systematic whole. 

b. It pinpoints areas of responsibility, 

c. It enables an administrator, as manager, to analyze value 
judgments and philosophical statements into manageable, 
Quantifiable statements of events . 

1.3 Scope and purpose 

This report will cover the following additional sections: 

Section 2.0 A brief history of fault tree analysis 

and a comparison of its use in engineering 
and the behavioral sciences. 

Section 3.0 Principles of fault tree construction. 

Section 4.0 A description of a prototype fault tree 

applied to the general problem, ’’Improvement 
of education as preparation for the world of 
work.” 

Section 5.0 Analysis of the prototype tree. 

Section 6.0 Evaluation of fault tree analysis as an 

educational research and planning technique. 



- 3 - 



1.3 Scope and purpose 



The tree depicted in this report can to a. degree be used as a 
general model. Restrictions on that use will be noted in Section 
5.0. The analysis has been undertaken only to the extent of 
drawing the tree and verifying the inputs. The quantification 
of the tree, to determine the most critical paths, will require 
a probability evaluation of the failure events which is beyond 
the scope of this document. 

The prototype tree displayed here should not be construed as 
representing the final drawing of the tree. Many other possibil- 
ities exist, some of which are discussed in Section 4.4. 

The purpose of this report, then, is to give educators some back- 
ground in fault tree analysis as applied to educational planning 
and evaluation, together with an example from a problem of 
pervasive national concern. Future reports will deal with prob- 
lems of quantification and evaluation of fault trees, simulation, 
and further application to specific systems. 



- 4 - 



2.0 HISTORY 

The concept of fault tree analysis originally developed as a 
technique which Bell Telephone Laboratories used to perform a 
safety evaluation of the Minuteman Launch Control System. Bell 
engineers discovered that the method used to describe the flow 
of "correct" logic in data processing equipment could also be 
used for analyzing the "false" logic resulting from component 
failures. 1 The format was also well suited to the application 
of probability theory in order to define numerically the critical 
fault modes. Haasl points out that the Minuteman Safety Study 
was successfully completed using the new technique, and provided 
convincing arguments for the incorporation of a number of equip- 
ment and procedure modifications. 

Further development of the analytical and mathematical techniques 
of fault tree analysis has occurred principally in The Boeing 
Company, and since it was first introduced in 1961, the technique 
has been applied to many different systems inside and outside the 
company. Some of these have been a model of the man/machine 
interface in a manned space system, and analysis of such problems 
as highway safety and vandalism in the schools. 

The application of fault tree analysis to educational problems 
came about originally through the interest of the Alameda County 
PACE Center in discovering a predictive tool which would act as 



Haasl, David F. Advanced Concept^ in faulty Anaiys l | Paper 
presented at System Safety Symposium, June 1965. Universi y 
Washington and The Boeing Company. 



2.0 HISTORY 






a sort of "early warning" signal to educators regarding critical 
needs to which they should direct their attention. A prime 
function of PACE 2 Centers in California (funded under Title III 
of the Elementary and Secondary Education Act, P.L. No. 89-10) 
has been to develop means of assessing educational needs so that 
priority could be given to those areas of instruction most in 
need of innovative or exemplary solutions. 



In 1966, when the Alameda County PACE Center was first funded, 
many of the really pressing problems were known in a general way. 
Efforts of most of the California centers therefore centered on 
identifying in depth and more accurately than before the needs 
of students, a "need" being defined as "a significant discrepancy 
between societal expectations and actual performance profiles of 
a given target population." It should be noted that needs were 
defined in terms of students, not of the school system itself. 
Many models were tested by the 21 centers, most of them involving 
to a greater or lesser degree the perceptions of students, 
teachers, administrators, parents, or people in the surrounding 

community. 

The results of the Alameda County PACE Center’s needs assessment 
and the relationship of fault tree analysis to the assessing of 
needs and assigning of priorities are detailed elsewhere. The 
Center was continuing to search, however, for an analytical tool 




^Acronym for Projects to Advance Creativity in Education. 

^Master Plan for Occupational Preparation in Alameda County. In 
preparation. 

- 6 - 



HISTORY 



which would alert administrators, school boards, and parents to 
emerging aspects of a problem which might be overlooked through 
the use of conventional research tools. (An analogy might be the 
development of "multiphasic" health testing in preventive 

medicine .) 

In the fall of 1966, the research specialist of the Center was 
put in touch with Kent Stephens, then a member of an aerospace 
group in The Boeing Company, and first learned about fault tree 
analysis. Subsequently, Stephens and two colleagues, David Haasl 
and Jon Stephens, visited the PACE Center to explain the princi- 
ples of fault tree analysis, and in May 1967 they conducted a 
week-long training program for school administrators and other 
interested persons under the sponsorship of the Center and the 
Alameda County School Department. There the first trees applied 
to educational problems were drawn, and the possibilities of the 
technique were explored. Subsequently, Sam Henrie, research 
director for the Emery Unified School District, and Robert E. 
Swain, then principal of Emery High School, conducted an analysis 
based on the district's new communication program, which generated 
significant information and pointed the way to some needed changes 

The tree displayed in this document was developed out of the 
experience in that workshop and further technical training 
received by the writer at a two-week intensive summer institute 
on System Safety Engineering, conducted by the University of 
Washington in August 1967. 



- 7 - 



2.0 HISTORY 



The prototype tree (see Appendix) was constructed because one of 
the most pressing needs of students in Alameda County (as well as 
elsewhere in California) was found to be better preparation for 



the world of work. With an unemployment rate of youth 17 to 2H 
years old running as high as 35 percent in some locations, the 
problem was an urgent one. The critical undesired event chosen 
for analysis was "Failure to be employed at an entry-level job 
with possibilities for advancement." Rationale for the choice 
of this event is given in Section M-.3. 



- 8 - 



3.0 PRINCIPLES OF FAULT TREE CONSTRUCTION 4 

In this section are set forth some general principles of fault 
tree construction. The discussion is limited to the logic net- 
work itself, and does not include the mathematical principles. 



3.1 Definitions 

Svstem: an interacting set of discrete independent elements. 

“ 1 System may include two or more subsystems. 



A 



pi pmpnt nr comoonent : the fundamental unit of analysis. May be 

SSrtT procedures, ideas, methods--people , materials, equip- 
ment ’rooms, etc. The element exists in its own right, 
regardless of the existence of the system. 

i Faoh element interacts with other elements 

lnte to Ct pr -g f uce dLir^ie or undesirable results. If you change the 
state of one of the elements, you change the system. 

An aircraft with 4 engines. 

If one engine goes out, the system is chang . 

If Z engines^go out, the system is further changed . ,3 
If both engines out are on the same side, the y 

different from one in which one engine on each side 

is out. 

A sophomore English class with 20 students is a different 
svstem from one with 35 students* 

A classroom with fixed desks is a different system from 
one with movable chairs. 



e . g i 



e.g, 



3.2 Heneral steps 

1. Analyze the system. See Figure 1 for the systems approach. 

2. Identify the pertinent subsystems and elements (components). 

3. Bound the system for purposes of analysis. 

Decide whether to use success or failure analysis for problem 
area identification. 

s ssr ss^rsus '.v 

■s jsss' S 

Section 2.0, above. 



• x ox. " *.t**T‘' " 



- 9 - 



Figure 1 — THE SYSTEMS APPROACH 



o 



C rH 

o cd 

•H (1) 

4-1 d 

cd H 

rH 4-1 

o c o 

4-1 cd i 
CO O 

O 4-1 CO 
P-4 O 






w 



TT| 

9 



w 

•H 

o 

cu 

Q 

M-l 

m 

0 

1 

cu 

'O 

03 

H 



o 

in 



to 




a) 




U-J o 




o u 




D 


d 


d o 


o 


O to 


•fH 


to a) 


4J 


•fH Pi 


CO 


U ^ 


rH 


co 3 ; 


, D 


a 


g 


B rH 


•pH 


O CO 
<j a) 


CO 


TU 




M 





o 



mj a) 




O rH 




X> 




d co 


d 


o o d 


o 


•H *H o 


•H 


4J HJ *H 


HJ 


CO O 4J 


CO 


H CO 3 


rH 


D ^ rH 


D 


g P o 


6 


U co 


•H 


o cd 


CO 


P 





o 



MJ 


i 


O 




d 




o 




•H C 




HJ O 




CO *H 


H 


HJ HJ 


PS 


d d 


W 


Cl) rH 


Ph 


6 o 




cu co 




rH 




a 




B 




H 





w 



w 

rH 

CO 

a 



O 

oo 





] ^ 




to 


d 


to 


o 


0) 


•H rH 


o 


HJ CO to 


o 


cO a) g 


D 


O Pi Q) 


CO 


•H rH 

MJ 0) 


— > 


x: o 


Pi 


HJ HJ U 


o 


d Ph 




<u mj 




ro O 




H 


• 



<N 

co 



e 

w cu 

•rH 4J w 
to to to 
>» fo CU 



CO 

d 

< 



o 
o 

^ D 

O CO 





“C 








o 


to 






tH T) 


B 






ii a) 


co 






* s*i w 


IH 






a h^ 


W) 


N 




co e 
«w <u a 


u 

o 


s 

CM 


• 


Q > 


HJ 


• 


CM 


4j w 


o 


CM 


• 


C M-l 


a) 


• 


1 ^ 


01 o 


> 


00 









d 


T3 




•H 


CU 




N 


1*1 


to 


•H 


•H 


HJ 


HJ 


to 


d 


•H 


0) 


cu 


IH 


P 


> 


o 




w 


•H 


14J 




1*1 


O 




Ph 







1^1 

CM 



m 



c o c 
o 4-4 <u 
•H O <U > 
4J O w 

cd co c 




C CU CU T3 


/ 


-j-4 -XJ J_l CU 




E Oh h 


■ 


h ED-h 


CM 


cu a co 


• 


4-1 4-4 O (U 


00 




I 

col 

•H 

r-H 

Si 







pH 



00 



w 


B 

(U CO 


•H 


4J a) 


to 


CO u 


tn ►> O 


rH 


CO rH 


CO 


•H 


d 


U co 


<3 


o pt< 




MJ 




to 




W) d 


6 




C <U 


co 




•H (-1 


U 




N -H CO 


w 




•H CO 4J 


PH 




4-1 <U C. 


o 


/ 


•H d <U 


HJ 


CM 


u c > 


o 


• 


O D U 


cu 


rH 


•H 


> 


• 


h M-i 




00 


U* Q J 



I oo 



I 00 



0 4-10 


> 


•H 


o 


w 


HJ 


cu 




CO 


co o d 


d 


cu d 


cu 


Hnrt qi 




B 


o u 


•pH 


u 


B u 


to 


cu 


p 


CU 


4-1 4-4 O d 


cu 


o o 


d 


-p- 


Q- 






< 


CO 


si 


U P 
CO H 


cd 


D ffi 




C co 
U 2 


cd 


^ o 


,f4 I 


P M 


pI 


O H 
P <3 


°i 


P 


•f4| 


co u 


00 


H (2 


Ol 


CO 


pi 
















rH 






C co 




CO to 




w 


O -f4 




d *pH 




•H 


•i-I CO 




O to 




^ w Eh 


j CO 




•rH >» 


V 


w to pi 


' CO H 

•r4 Cd 


/ 




4J rH 

o cd 


7 


to H w 
H CO Ph 








c e 




G 


♦ < 




CM 


D < 


00 




• 




• 


P 


• 




1 




CM 




CM 










1 




HJ 




d d 




cu o 


V 


B T3 *rH 


“T 


CU M HJ 




rH Cd 


CM 


P cd O 


• 


O <U -H 


00 


h h H 


■ 


Ph <3 *H 


CM 






I 

w 
o l 
p • 
w 

I' 











CO 


HJ 




4-> g 




4-1 g 4-1 


d d 




c <u 




C cu C 


o CU 




<U 4J CO 




<U 4-1 *H 


•rH g 




E co d 




g CO cd 


to CU . 


- V 


<u tn c 


•v 


Ql S. Li 


to HJ 


? 


4J CO D 


7 


w ri ri 

HJ CO HJ 


•H CO j 


1 


cd o 




cO w 


S 4-1 




4-1 4-4 PQ 




HJ H C 


CO 


CM 


CO o 


m 


CO o o 




* 




• 


o 


■■ J 


1 rH 




rH 





s 

13 

CO 

>* 

CO 

PS 

o 

pH 

CO 



CO 

j* 

gl 

I 



a 

o 

a 

o 

•pH 

to 

to 

•H 

e 

u 

cu 

p- 

a 

o 

•H 

HJ 

o 

a 

*0 

o 

o- 

CU 

1*1 

M 

o 

a 

CO 

a 

o 

•pH 

4 J 
Cd 
o 



a 

a 

e 






-9A- 






o 

ERIC 



3.2 General steps 



6. Select an undesired event for analysis on the basis of 
assigned priorities. 

7. Determine possible modes of occurrence -- that is, construct 
the fault tree. 

8. Validate the inputs. 

9 Evaluate the events for likelihood (probability) of occur- 
rence. Determine critical path(s) . (The quantification, 
computer analysis, and critical path identification are 
beyond the scope of this report.) 

10. Submit to appropriate person (s) (administrator, school 
board, etc.) for decision. 

3.2.1 Analysis of the system 

Suppose that it is desired to analyze a new instructional program 
in English. The system to be analyzed might be the program itself 
as it operates in one classroom, or in all of the classrooms in a 
' given grade in one school, or in all grades in that school, or in 
an entire school district, K-12. Once it is decided what the 
system is which will be analyzed, the system boundaries and 
elements can be described. 

An important consideration in this first step is to specify the 
type of output expected from the program, preferably in precise 
behavioral terms. Only if the output, or goal, is clear can 
decisions be made regarding whether the goal has been met. 

For instance, a school wants to improve an in-service training 
program for teachers. Let us postulate a two-week summer 
institute designed to prepare teachers to work with students 
whose first language was Spanish. If the institute has been 
properly designed, there will be one or more clear statements of 
exactly what the teachers will be expected to do at the end of 

- 10 - 






3.2.1 Analysis of the system 



the two weeks, and the steps by which they will get there. 5 The 
undesired event will then be a statement related to the major 
goal. 

3.2.2 Identification of subsystems and elements 

These may be arbitrary. For example, if the system is to be a 
new program in one classroom, then possible subsystems might be 
the content of the program, teaching facilities, equipment, the 
students in that classroom, their teacher, the room, time 
allotted for the program, and teaching strategies. 

Elements within a subsystem should be carefully considered, as 
most of the individual failure events will occur at this level. 

Even such an item as classroom lighting might be an important 
element. Elements in the student subsystem might be classified 
as failures before entering the program, during the program, and 
following the program. Teacher failure elements might include 
previous training, previous teaching experience, interest in the 
new program, preparation for the new program, understanding of 
the materials, rapport with the students, and so on. 

Each subsystem should be designed for success internally, but 
one task of educators is to insure that putting "safe” subsystems 
together will produce a "safe 1 * system. It is not automatic. Fault 
tree analysis shows the interaction effects of these subsystems. 

5por a more thorough discussion of behavioral objectives, see Mager, 
Robert* F. Preparing Instructional Objectives . Palo Alto: Fearon 

Publishers, 1962. . _ 

Also, Mager, Robert F. and Kenneth M. Beach, Jr. Developing Vocational 

Instruction. Palo Alto: Fearon Publishers, 1967. 



o 



- 11 - 



3.2 General Steps 



3.2.3 Bounding the system 

For the purposes of analysis, decide on the system bounds, 
ignoring anything outside. If necessary, however, specify those 
parts of other systems having important interfaces with the 
system to be analyzed. For example, since the success of a 
program might well be influenced by factors outside the classroom, 
the analyst would determine what other systems interface with the 
new program — perhaps the home and linguistic invironment of the 
students, the community, other classes in the school, the students’ 
peers, and so on. Other conceivable systems with which an instruc- 
tional program might interface are transportation, school recre- 
ation program, school administration, the P.T.A., or the secretarial 
staff. The decision as to the extent to which these interfaces 
should be analyzed will depend on the judgment of the analyst 
regarding the influence for failure that other systems might exert. 

3.2.4 Problem area identification 

It can be seen from Figure 1 that identification of the * real 
problems” can be accomplished by analysis for either system fail- 
ures or system success. Theoretically, if one could specify 
precisely all of the elements in the system which should insure 
success, including the successful modes of interaction, one would 
not need failure analysis. 

In practice, this is often very difficult to accomplish. Success 
is much harder to define, and therefore to measure. Success 
usually covers a range of, behaviors. According to one set of 
criteria, any student might be successful who graduates from 



- 12 - 




3.2.4 Problem area identification 



high school with a C average or above, if that is the criterion 
for college entrance. So ’’successes” might include all students 
from those just barely making a C average to straight A students. 
Even delineating some set of minimum standards for success is 
difficult . 

But if success is defined, for example, as ability to enter 
college, then it is much easier to define failure . Furthermore, 
ways by which one can fail are often fewer than those by which 
one can succeed. 

Education today is being wracked with controversy over the term, 
’’quality education.” It is easy to say what quality education 
is not, but much more difficult to prescribe what it is. Perhaps 
it could be said that a quality educational system is one in which 
the likelihood of occurrence of all identifiable hazard ous events, 
or outcomes, is maintained at an acceptable level . 

For example , at a time when the national unemployment rate is 
around three percent of the labor force, it might be said that 
no more than three percent of young adults just out of high school 
and looking for work should remain unemployed. The figures in 
some locales are running as high as 35 percent, an intolerable 
situation. 

The remaining discussion is predicated on the choice of fault tree 
analysis for problem identification. 

3.2.5 Identification and classification of undesired events 
At this stage one ’’scopes the system” by discovering all 

-13- 



o 



3.2.5 Identification and classification of undesired events 



identifiable undesired events related to the desired outcomes of 
the system, and making a tentative drawing of the top of the tree. 
The analyst need not be an expert on the system being analyzed, 
but may gather the relevant information from the experts. 



In order to assign priorities to the undesired events, a critical 
ity index should be used. The following classification is 
adapted from system safety engineering: 

Ex a mp 1 e: A potentially explosive classroom 



Index of criticality 

1. Safe - System functioning 
at "normal" expectancy. 

2. M arginal - Further deter- 
ioration of performance 
will lead to states 3 or 
t. 

3. Critic al - Must take 
immed late corrective; 
action. 

i+. Catastrophic - Intolerable. 



Critical even t 

"Normal" classroom 
interaction. 

Overt, prolonged student 
defiance disrupts 
classroom instruction. 



Students leave classroom 
precipitously during 
class time without 
permission. 

Students engage in 
destructive acts toward 
property and/or persons. 



As another example, consider the performance of an adult on a 
reading test required for a job. Types of performance might be 

ordered thus: 

1. Safe - Passes test with average score. 

2 + Ma rginal - Passes test with minimum score. 

3. Critical - Fails to pass test. 

I+. Catastrophic - Functional illiteracy. 

-lt- 

o 

ERIC 



3,2 General steps 



3,2.6 Selection of the undesired event for the top of the tree 

The criticality index will assist the analyst to set priorities 
on those events to be analyzed. The top undesired event should 
be derived from the clearly stated objectives of the system. 

What most critical event might occur which, if prevented, would 
enable the system to function effectively? The assumption is 
that S = 1 - F, where S is success, and F is the critical 
failure path. The event or problem should be stated in such a 
way that it does not suggest or state £ solution . 

From the system safety engineering standpoint, the events which 
need analysis the most are the critical or catastrophic ones. 

For long-range educational planning, marginal events may also 
need to be analyzed, as they may be the precursors of critical 
events in the future. Another contrast with hardware systems 
is that the catastrophic events analyzed usually have a very 
low probability of occurrence if the system has been well- designed. 
In the behavioral sciences, however, highly critical or even 
catastrophic outcomes occur with much higher frequency. For 
example, typical aerospace safety problems might be (1) to 
prevent the inadvertent launch of a missile, or (2) to prevent 
the loss of crew in a manned aerospace vehicle. Contrast the 
probability of those events with the incidence of fatal highway 
accidents, rate of unemployment of young adults in urban ghettos, 
or the probability of violence during demonstrations on a hot 
summer day. 



- 15 - 




3.2 General steps 



3.2.7 Construction of the tree 

Once the critical undesired event has been stated, the assumptions 
regarding the system and its subsystems should be clarified. At 
this point the analyst starts drawing the tree. 

If the analyst does not have a good working knowledge of the 
system he is to analyze, he can start by reading in the literature, 
talking to experts, and drawing up a list of failure events which 
are known to be related to the top event. After scoping the top 
of the tree, it might be well to work closely on each branch with 

experts in that area. 

The drawing of the tree then consists of asking the question at 
each step: What are the immediate probable causes of this event? 

This proximity may be in time, space, or in some other 
relationship. 

3. 2. 7.1 Lo gic operations (gatesj 

The tree is constructed by showing the relationship between various 
kinds of events. These relationships are symbolized by "GATES.” 

The following gates are used in this report in the prototype 
tree. The output from any event leads to the top of a gate, 
and the inputs lead from the bottom of the gate. 



- 16 - 



o 

ERJC 



3. 2. 7.1 Logic operations (gates) 



The AND Gate describes the logical operation 
whereby the coexistence of all input events 
is required to produce the output event. 



Output 




Inputs 



The OR Gate defines the situation whereby the 
output event will exist if one or more of the 
input events exists. 



Output 




Inputs 



The PRIORITY AND Gate performs the 
same logic function as the AND Gate 
with the additional stipulation that 
sequence as well as coexistence is 
required. 



The EXCLUSIVE OR Gate functions as 
an OR Gate with the restriction that 
specified inputs cannot coexist. 



Priority' 
Descrip- 
tion.^ 




Output 




mts 
Output 




Inputs 



INHIBIT Gates describe a casual rela- 
tionship between one fault and another. 
The input event directly produces the 
output event if the indicated condition 
is satisfied . The conditional input 
defines a state of the system that per- 
mits the fault sequence to occur, and 
may be either normal to the system or 
result from failures. It is represented 
by an oval if it describes a specific 
failure mode and a rectangle if it 
describes a condition that may exist 
for the life of the system. 




Inhibit 

Condition 




The MATRIX Gate is an abbreviated 
representation of a combination of 
events, which can be represented 
by a series of AND Gates summed 
together by an OR Gate. As used 
in this report, the matrix consists 
of two or more conditional events, 
for each of which the same or 
similar fault events could be the 
cause. 6 



^For further discussion, see Ericson, C. A. Advanced Concepts in the 
Usage of the Matrix Gate . Pamphlet. Boeing Weapon System Safety 
Division, August 1967. 



Output 




TTTT 

Inputs 

Faults) 








- 17 - 



3.2.7 Construction of the tree 



3. 2. 7. 2 Types of fault events 

The rectangle identifies an event that 
results from the combination of fault 
events through the input logic gate. 

The event is an input to the logic 
gate above the rectangle. 

The diamond describes a fault event 
which is not developed further in the 
tree, either (1) because the necessary 
information is unavailable, (2) because 
the event is relatively unlikely, or 
(3) because time or other constraints 
preclude analysis to any further depth. 



I 



T 




The circle describes a basic fault 
event that requires no further develop- 
ment. It is a primary failure of a 
discrete element due to its internal 
conditions. 




The oval is used to record conditional 
input to an INHIBIT Gate. It defines the 
state of the system that permits a fault 
sequence to occur, and may be either 
normal to the system or result from fail- 
ures. It differs from the rectangle in 
that the oval describes a condition at a 
particular point in' time, while the 
rectangle describes a condition that is 
part of the system. 




The house indicates an event that is 
normally expected to occur, such as a 
phase change in a dynamic system. It is 
a basic input. 



The small triangles are used as transfer 
symbols. A line from the apex of the 
triangle indicates a "transfer in" and a 
line from the side denotes a "transfer out." 





- 18 - 



3.2.7 Construction of the tree 



3. 2. 7. 3 Depth of resolution 

Using the foregoing symbols for failure events, conditions, and 
relationships, a tree of any size desired can be constructed, 
with the depth of resolution predetermined by time, available 
knowledge, and detail needed for adequate decision-making. One 
way to approach this is to decide that each of the events at the 
top of the tree, just below the critical undesired event, should 
be analyzed to a level of six or eight or some other desired 
number. Since the tree starts at the top and rapidly spreads in 
width and depth, even a relatively small tree with two inputs at 
each level for each event will reach 32 events by level five. 

The events in the prototype tree number well over 700, with over 
330 end events. The average depth of resolution is seven levels, 
and some branches extend to level twelve. 

3. 2. 7. 4 Determination of logic relationships and types of events 

At each new level ask the question, Does this event require the 
coexistence of two or more other events or conditions? If so, 
those events are inputs to an AND gate. If any set of events is 
composed of a number of events any one of which could cause the 
failure above it, those events become the inputs to an OR gate. 
There may be many inputs to an OR gate, but each one by itself 
must be able to cause the failure. 

After the logic gates are determined, the next step is to decide 
which of the inputs are prima ry , which are secondary , and which 
are command failure modes. A primary failure, represented by a 
circle, is a basic failure of some component or element. It is 



- 19 - 



3.2 .7 .4 Determination of logic relationships and types of events 



analogous to some failure in an organism. Typical primary fail- 
ures in the prototype tree are neurological deficits, blindness, 

deafness, and the like. 

A seconda ry failure, represented either by a rectangle or a 
diamond, depending on whether the analysis is to go further, is 
a failure from non-intended environmental conditions. There is 
an out-of-tolerance condition which brings about the failure 
event. Most of the events depicted in the prototype tree are 

secondary failures. 

A command mode is one in which the component goes into a failed 
state because someone told it to. It does not represent a failure 
of the component itself. For example, an employment agency might 
refuse to place an 18-year old on a job because the employer 
requested that the minimum age be 21. Command failures can be 
depicted also either by a rectangle or a diamond. 

The above rules are useful mainly as checks for the analyst to 
be sure that no important events are omitted. They have been 
taken from system safety engineering. It may well be that further 
development of fault tree analysis for the behavioral sciences 
will uncover additional or different principles which are more 
germane to non-hardware systems. 

As the analysis proceeds, it will be found that very similar 
events or even identical ones will show up in different branches 
of the tree. For example, stereotypes about mathematics learning 







- 20 - 



3. 2. 7. 4 Determination of logic relationships and types of events 



might show up in both the student and teacher branches. If the 
likelihood of the occurrence of these stereotypes is high, they 
are worth examining in more detail. 

The events depicted by circles and triangles will have no further 
inputs, but appear at the bottom of their branches. As the tree 
undergoes revisions, the diamonds may be analyzed in more depth, 
in which case they become rectangles. 

When the tree is finished, the gates are numbered to show the 
levels vertically and the number of gates horizontally. For 
example, the gate numbered E8 is at the fifth level from the top, 
and occurs after 7 previous gates at that level in other branches 
of the tree. 

Criteria for a good analysis are validity (is it thorough, compre- 
hensive, and true?), and feasibility (in terms of time, money, and 
the state of the art) . If the analysis generates enough informa- 
tion for decision-making to offset the time and money spent, it 
is worth doing. 

3.2.8 Validating the tree 

The rough draft of the fault tree is nothing more than an 
"argument tree" and should be validated as follows: 

a. Each rectangle should state an undesired event. 

b. Each and every rectangle should have the following questions 
asked of it by experts: 

(1) What are the causes of this particular undesired event? 

(2) Are all these causes listed? 



3.2.8 Validating the tree 



(3) Is each cause listed both necessary and sufficient to 
cause it to happen? If so, it should go under an OR 
gate; otherwise it should go under an AND gate. 

c. All rectangles which reach terminal points (events which 
the analyst does not intend to submit to further analysis) 
should be changed to circles for primary inputs, or diamonds. 

d. Redundancies existing on the same level should be sought 
and combined by redefinition of gates above them where 

possible . 

At various points in time during the construction of the tree, 
experts should be consulted to verify that the events depicted 
do in fact exist and that they have the designated relationships. 
It is often well to call in the experts several times during the 
drawing of the tree, to check for omissions, interactions, etc. 

3.2.9 Determining the critic al path (si 

The methods used in aerospace safety engineering to evaluate the 
likelihood of occurrence of fault events are not applicable to 
educational systems. The Alameda County PACE Center is now 
exploring alternate methods of determining probabilities and 
deriving a critical path. 

3.2.10 Submission to decision-m aker (s) 

If the fault tree analysis shows that changes in the system are 

necessary : 

consider what the system would be like with changes 

(in effect, a new system). 

go through, steps 7 to 9 again. 



- 22 - 



3.2.10 Submission to decision-maker (s) 



as l< 5 will the changes create other hazards in some way? 

N.B. If it is impossible to prevent the occurrence of an 

undesired event, it might still be possible to prevent 
that occurrence from having an undesired result . 

3 . 3 Using the analysis 

If the analysis is undertaken during the design of a new program, 
the decisions based on the tree should lead to design changes or 
the incorporation of monitoring devices or back-up plans where 
needed. The completed tree can then provide a verifiable check 
list of all critical events growing out of the construction of 
the tree, for use during the program, (1) to allocate responsi- 
bility, (2) define communication channels, (3) monitor components 
for faithfulness to the original plan, and (4^) spot potential 
trouble spots. It can also provide components for PERT. 

In a complex ongoing system decisions may be made leading to 
far-reaching system changes, reallocation of resources, or the 
development of new programs. A check list derived from the end 
events of the tree can help an administrator determine whether 
the system is providing for contingencies, whether further 
information is needed, and so on. 

Although the principal target population is usually determined 
through assumptions made before the tree construction, the tree u 
can further define who has the problem, to what extent, and at 
what point in time. The analyst can then indicate areas where 
surveys or other research would be beneficial to (1) supply 
missing data, fault events, or probabilities of fault events, or 
(2) to develop resource allocation strategies. 






- 23 - 



